A popular AI-powered coding platform, Orchids, has been found to have a significant and currently unpatched cybersecurity vulnerability, allowing attackers to potentially gain control of users’ computers. The flaw, demonstrated to the BBC by cybersecurity researcher Etizaz Mohsin, highlights the risks inherent in granting AI tools deep access to systems in exchange for convenience.
Orchids, categorized as a “vibe-coding” tool, aims to democratize software development by enabling individuals without traditional coding skills to build applications and games through natural language prompts. The platform has seen a surge in popularity alongside other AI-driven development tools, touted as a way to accelerate and reduce the cost of software creation. The company claims to have a million users and lists Google, Uber, and Amazon among its clientele, and is rated highly for certain aspects of vibe coding by analysts like App Bench.
The vulnerability allows an attacker to inject malicious code into a user’s project, potentially gaining access to the underlying system. In a demonstration for the BBC, Mohsin was able to add a line of code to a test project – a game based on the BBC News website – without the user’s knowledge. This seemingly innocuous addition allowed him to change the desktop wallpaper and create a notepad file confirming the compromise, effectively demonstrating a “zero-click” attack scenario.
“You are hacked,” Mohsin effectively showed, by altering the user’s system without requiring any action on their part. The implications are substantial: an attacker could potentially install malware, steal sensitive data, or even access a user’s webcam, and microphone. This differs from typical hacks that rely on tricking users into downloading malicious software or revealing credentials.
Mohsin discovered the flaw in December 2025 and spent weeks attempting to notify Orchids through various channels – email, LinkedIn, and Discord – before receiving a response. The company initially stated they may have “possibly missed” his warnings, citing a high volume of incoming messages.
The incident underscores the emerging security challenges posed by “agentic AI” – AI systems designed to autonomously perform tasks. These tools, like the recently popularized Clawbot (also known as Moltbot or Open Claw), offer increased automation but also expand the attack surface. Clawbot, capable of managing calendars and sending messages with minimal user input, has been downloaded hundreds of thousands of times, raising similar concerns about system access and potential vulnerabilities.
Experts warn that the ease with which Orchids could be compromised should serve as a cautionary tale. Kevin Curran, professor of cybersecurity at Ulster University, emphasizes that “without discipline, documentation, and review, such code often fails under attack.” The core issue is the inherent risk of granting AI agents extensive permissions without robust security measures.
While Mohsin has only identified the vulnerability in Orchids so far, he believes it highlights a broader risk across the emerging landscape of vibe-coding platforms, including Claude Code, Cursor, Windsurf, and Lovable. The potential for malicious code injection and system compromise exists wherever AI is granted significant autonomy and access to user systems.
Karolis Arbaciauskas, head of product at NordPass, advises users to exercise caution when experimenting with these tools, recommending they be run on dedicated machines with disposable accounts to limit potential damage. This approach minimizes the risk of compromising primary systems or sensitive data.
The Orchids incident arrives amidst growing scrutiny of AI security. Recent reports indicate that advanced language models like Anthropic’s Claude Opus 4.6 are being used to proactively identify previously unknown security flaws in open-source libraries, discovering over 500 high-severity vulnerabilities in projects like Ghostscript, OpenSC, and CGIF. Meanwhile, ZAST.AI, a company focused on AI-powered code security, recently secured $6 million in pre-A funding, signaling increased investment in addressing these emerging threats. The discovery of hundreds of zero-day vulnerabilities in 2025 by ZAST.AI, affecting widely used components like the Microsoft Azure SDK and Apache Struts XWork, further illustrates the scale of the challenge.
The rise of zero-click attacks, exploiting software vulnerabilities without user interaction, represents a significant escalation in cyber threats. As AI systems become more integrated into our digital lives, securing these platforms and mitigating the risks associated with autonomous access will be crucial to maintaining cybersecurity.
